MicrosoftGreat framework for thinking about AI security and governance holistically. The point about 55% of leaders lacking knowledge of AI
regulation impact resonates strongly and that number was before the EU AI Act entered its enforcement timeline (August 2026 for
full application).
One area I'd add: the gap between having security controls and demonstrating governance readiness to regulators and auditors.
Microsoft's tooling covers the discover-protect-govern cycle well at the technical layer, but many organisations still lack the
organisational governance layer; formal policies, accountability structures, risk frameworks scored against specific regulatory
requirements. That's the piece that boards and audit committees are increasingly asking for, and it's where most mid-market
organisations are underprepared.
The shift from "restrict all AI" to "govern AI proactively" is exactly right. The organisations acting now will be in a much
stronger position when enforcement begins.
